Summary
VPP add the vpp-crypto-engines dependency for IPSec
Without the vpp-crypto-engines VPP cannot handle IPsec SAs
[Example: "802.1q VLAN interfaces are widely used for traffic separation in switched networks and for "router on a stick" scenarios. Most router vendors support them.]
Additional information
Example:
set interfaces ethernet eth0 address '10.0.0.2/30' set interfaces ethernet eth0 description 'WAN' set system host-name 'vpp-right' set system option kernel memory default-hugepage-size '2M' set system option kernel memory hugepage-size 2M hugepage-count '1800' set vpn ipsec authentication psk PSK id '10.0.0.1' set vpn ipsec authentication psk PSK id '10.0.0.2' set vpn ipsec authentication psk PSK secret '1234567890' set vpn ipsec esp-group ESP-group lifetime '3600' set vpn ipsec esp-group ESP-group mode 'tunnel' set vpn ipsec esp-group ESP-group pfs 'enable' set vpn ipsec esp-group ESP-group proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-group proposal 1 hash 'sha256' set vpn ipsec ike-group IKE-group key-exchange 'ikev2' set vpn ipsec ike-group IKE-group lifetime '28800' set vpn ipsec ike-group IKE-group proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-group proposal 1 hash 'sha1' set vpn ipsec interface 'eth0' set vpn ipsec site-to-site peer LEFT authentication local-id '10.0.0.2' set vpn ipsec site-to-site peer LEFT authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer LEFT authentication remote-id '10.0.0.1' set vpn ipsec site-to-site peer LEFT connection-type 'respond' set vpn ipsec site-to-site peer LEFT ike-group 'IKE-group' set vpn ipsec site-to-site peer LEFT local-address '10.0.0.2' set vpn ipsec site-to-site peer LEFT remote-address '10.0.0.1' set vpn ipsec site-to-site peer LEFT tunnel 0 esp-group 'ESP-group' set vpn ipsec site-to-site peer LEFT tunnel 0 local prefix '100.64.2.0/24' set vpn ipsec site-to-site peer LEFT tunnel 0 remote prefix '100.64.1.0/24' set vpp settings interface eth0 driver 'dpdk' set vpp settings interface eth1 driver 'dpdk' set vpp settings ipsec set vpp settings unix poll-sleep-usec '120'
Log:
Aug 11 11:55:09 vpp-right charon-systemd[4688]: CHILD_SA LEFT-tunnel-0{2} established with SPIs cee67307_i ca45e459_o and TS 100.64.2.0/24 === 100.64.1.0/24
Aug 11 11:55:09 vpp-right vpp[1901]: linux-cp/ipsec: ipsec sa add cce6bfeb failure(err: -9) 10.0.0.1 -> 10.0.0.2
Aug 11 11:55:09 vpp-right vpp[1901]: ipsec_sa_add_and_lock:548: No crypto engine support for sha-256-128
Aug 11 11:55:09 vpp-right vpp[1901]: linux-cp/ipsec: ipsec sa add cb452f16 failure(err: -9) 10.0.0.2 -> 10.0.0.1